This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Dashboard requirements matrix
The Enterprise Security dashboards rely on events that conform to the Common Information Model (CIM), and are accelerated using the data model acceleration feature of Splunk Enterprise. The tables break out the Enterprise Security app dashboard to the data models being referenced.
Dashboard to data model
A - E
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Access Anomalies | Geographically Improbable Accesses | Authentication | Authentication.app, .src, .user_bunit |
| Concurrent Application Accesses | Authentication.app, .src, .user | ||
| Access Center | Access Over Time By Action | Authentication | Authentication.action |
| Access Over Time By App | Authentication.app | ||
| Top Access By Source | Authentication.src | ||
| Top Access By Unique User | Authentication.user,.src | ||
| Access Search | Authentication.action, .app, src, .dest, .user, src_user | ||
| Access Tracker | First Time Access - Last 7 days | None. Calls access_tracker lookup | |
| Inactive Account Usage - Last 90 days | |||
| Completely Inactive Accounts - Last 90 days | |||
| Account Usage For Expired Identities - Last 7 days | Authentication | Authentication.dest | |
| Account Management | Account Management Over Time | Change Analysis | All_Changes.Account_Management, .action |
| Account Lockouts | All_Changes.Account_Management, .result | ||
| Account Management By Source User | All_Changes.Account_Management, .src_user | ||
| Top Account Management Events | All_Changes.Account_Management, .action | ||
| Asset Center | Assets By Priority | Assets And Identities | All_Assets.priority, .bunit, .category, .owner |
| Assets By Business Unit | |||
| Assets By Category | |||
| Asset Information | |||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Default Account Activity | Default Account Usage Over Time By App | Authentication | Authentication.Default_Authentication, .action, .app |
| Default Accounts In Use | Authentication.user_category, .dest, .user | ||
| Default Local Accounts | None. Calls useraccounts_tracker lookup | ||
| DNS Activity | Top Reply Codes By Unique Sources | Network Resolution DNS | DNS.message_type, DNS.reply_code |
| Top DNS Query Sources | DNS.message_type, DNS.src | ||
| Top DNS Queries | DNS.message_type, DNS.query | ||
| Queries Per Domain | DNS.message_type, DNS.query | ||
| Recent DNS Queries | DNS.message_type | ||
| DNS Search | DNS.message_type, DNS.reply_code, DNS.dest, DNS.src ,DNS.query_type, DNS.query, DNS.answer | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Email Activity | Top Email Sources | All_Email.src | |
| Large Emails | All_Email.size, src, .src_user, .dest | ||
| Rarely Seen Senders | All_Email.protocol, .src, .src_user, .recipient | ||
| Rarely Seen Receivers | All_Email.protocol, .src, .recipient | ||
| Email Search | All_Email.protocol, .recipient, .src, .src_user, .dest | ||
| Endpoint Changes | Endpoint Changes By Action | Change Analysis | All_Changes.Endpoint_Changes, .action |
| Endpoint Changes By Type | All_Changes.Endpoint_Changes, .object_category | ||
| Endpoint Changes By System | All_Changes.Endpoint_Changes, .object_category, .dest | ||
F - M
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Forwarder Audit | Event Count Over Time By Host | None. Calls host_eventcount macro and search. | |
| Hosts By Last Report Time | |||
| Splunkd Process Utilization | Application State | All_Application_State.Processes.cpu_load_percent, .mem_used, .process, All_Application_State.dest | |
| Splunk Service Start Mode | All_Application_State.Services.start_mode, .status, .service | ||
| HTTP Category Analysis | Category Distribution | Web | Web.src, .category |
| Category Details | Web.src, .dest, .category, | ||
| HTTP User Agent Analysis | User Agent Distribution | Web | Web.http_user_agent_length, .http_user_agent |
| User Agent Details | Web.http_user_agent_length, .src, .dest, .http_user_agent | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object | |
|---|---|---|---|---|
| Identity Center | Identities By Priority | Assets and Identities | All_Identities.priority, .bunit, .category | |
| Identities By Business Unit | ||||
| Identities By Category | ||||
| Identity Information | ||||
| Incident Review Audit | Review Activity By Reviewer | None. Calls a search over the es_notable_events KVStore collection. | ||
| Top Reviewers | ||||
| Notable Events By Status - Last 48 hours | ||||
| Notable Events By Owner - Last 24 hours | ||||
| Recent Review Activity | ||||
| Indexing Audit | Events Per Day Over Time | None. Calls a search over the licensing_epd KVStore collection. | ||
| Events Per Day | ||||
| Events Per Index (Last Day) | ||||
| Intrusion Center | Attacks Over Time By Severity | Intrusion Detection | IDS_Attacks.severity | |
| Top Attacks | IDS_Attacks.dest, .src, .signature | |||
| Scanning Activity (Many Attacks) | IDS_Attacks.signature | |||
| New Attacks | IDS_Attacks.ids_type | |||
| Intrusion Search | IDS_Attacks.severity, .category, .signature, .src, .dest | |||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Malware Center | Malware Activity Over Time By Action | Malware | Malware_Attacks.action |
| Malware Activity Over Time By Signature | Malware_Attacks.signature | ||
| Top Infections | Malware_Attacks.signature, .dest | ||
| New Malware - Last 30 Days | None. Calls malware_tracker lookup. | ||
| Malware Operations | Clients By Product Version | None. Calls malware_operations_tracker lookup. | |
| Clients By Signature Version | |||
| Oldest Infections | |||
| Repeat Infections | Malware | Malware_Attacks.action, .signature, .dest | |
| Malware Search | Malware_Attacks.action, .file_name, .user, .signature, .dest | ||
N - S
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Network Changes | Network Changes By Action | Change Analysis | All_Changes.Network_Changes, .action |
| Network Changes By Device | All_Changes.Network_Changes, .dvc | ||
| New Domain Analysis | New Domain Activity | Web | Web.dest |
| New Domain Activity By Age | |||
| New Domain Activity By TLD | |||
| Registration Details | None | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Port & Protocol Tracker | Port/Protocol Profiler | Network Traffic | All_Traffic.transport, .dest_port |
| Prohibited Or Insecure Traffic Over Time - Last 24 Hours | All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port | ||
| Prohibited Traffic Details - Last 24 Hours | All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port | ||
| New Port Activity - Last 7 Days | None. Calls the application protocols lookup. | ||
| Protocol Center | Connections By Protocol | Network Traffic | All_Traffic.app |
| Usage By Protocol | All_Traffic.app, .bytes | ||
| Top Connection Sources | All_Traffic.src | ||
| Usage For Well Known Ports | All_Traffic.bytes, .dest_port | ||
| Long Lived Connections | All_Traffic.src, .src_port, .duration, .dest, .dest_port, .transport | ||
| Risk Analysis | Risk Modifiers Over Time | Risk Analysis | All_Risk.risk_score |
| Risk Score By Object | All_Risk.risk_score | ||
| Most Active Sources | All_Risk.risk_score, .risk_object | ||
| Recent Risk Modifiers | All_Risk.* | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Security Posture | Notable Events By Urgency | None. Calls a search over the es_notable_events KVStore collection. | |
| Notable Events Over Time | |||
| Top Notable Events | |||
| Top Notable Event Sources | |||
| Session Center | Sessions Over Time | Network Sessions | All_Sessions.Session_* |
| Session Details | All_Sessions.* | ||
| SSL Activity | SSL Activity By Common Name | Certificates | All_Certificates.SSL.ssl_subject_common_name |
| SSL Cloud Sessions | All_Certificates.SSL.ssl_subject_common_name, .src, | ||
| Recent SSL Sessions | |||
| SSL Search | All_Certificates.src, .dest, .ssl_subject_common_name, .ssl_subject_email, .ssl_issuer_common_name, .ssl_issuer_organization, .ssl_start_time, .ssl_end_time, .ssl_validity_window, .ssl_is_valid | ||
| Suppression Audit | Suppressed Events Over Time - Last 24 Hours | None | Calls a macro to search on notable events. |
| Suppression History Over Time - Last 30 Days | Calls a macro and a search on Summary Gen information. | ||
| Suppression Management Activity | Calls a search by eventtype. | ||
| Expired Suppressions | Calls a search by eventtype. | ||
| System Center | Operating Systems | None. Calls system_version_tracker lookup. | |
| Top-Average CPU Load By System | Performance | All_Performance.CPU.cpu_load_percent, All_Performance.dest | |
| Services By System Count | Application State | All_Application_State.Services | |
| Ports By System Count | All_Application_State.Ports | ||
T - Z
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Threat Activity | Threat Activity Over Time | Intrusion Detection, Network Traffic, and Web. See Threat Activity Data Sources for more details. | |
| Most Active Threat Collections | |||
| Most Active Threat Sources | |||
| Threat Activity Details | |||
| Threat Artifacts | Threat Overview | None. Calls the threat intelligence KVStore collections. See "Configure threat intelligence sources" for more details. | |
| Endpoint Artifacts | |||
| Network Artifacts | |||
| Email Artifacts | |||
| Certificate Artifacts | |||
| Threat Intelligence Audit | Threat Intelligence Downloads | None. Calls a search by REST endpoint. | |
| Threat Intelligence Audit Events | None. Calls a search by eventtype. | ||
| Time Center | Time Synchronization Failures | Performance | All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action |
| Systems Not Time Synching | |||
| Indexing Time Delay | None. Calls the results of a Summary Gen search. | ||
| Time Service Start Mode Anomalies | Application State | All_Application_State.Services.start_mode, .Services.status, .dest_should_timesync, .tag, .dest | |
| Traffic Center | Traffic Over Time By Action | Network Traffic | All_Traffic.action |
| Traffic Over Time By Protocol | All_Traffic.transport | ||
| Scanning Activity (Many Systems) | All_Traffic.dest, .src | ||
| Top Sources | All_Traffic.src | ||
| Traffic Search | All_Traffic.action, .src_port, .src, .dest, .transport, .dest_port | ||
| Traffic Size Analysis | Traffic Size Anomalies Over Time | Network Traffic | All_Traffic.transport, .src |
| Traffic Size Details | All_Traffic.bytes, .dest, .src | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Update Center | Top Systems Needing Updates | Updates | Updates.status, .dest, .signature_id, .vendor_product |
| Top Updates Needed | Updates.status, .dest, .signature_id, .vendor_product | ||
| Systems Not Updating - Greater Than 30 Days | Updates.dest_should_update, .dest, .signature_id, .vendor_product, .status | ||
| Update Service Start Mode Anomalies | Application State | All_Application_State.Services.start_mode, .Services.status, .Services.service, .tag | |
| Update Search | Updates | Updates.dest_should_update, .status, .dest, .signature_id, .vendor_product | |
| URL Length Analysis | URL Length Anomalies Over Time | Web | Web.http_method, .url |
| URL Length Details | Web.url_length, .src, .dest, .url | ||
| User Activity | Users By Risk Scores | Risk Analysis | All_Risk.risk_object |
| Non-corporate Web Uploads | Web | Web.bytes, .user, .http_method, .url | |
| Non-corporate Email Activity | All_Email.size, .recipient, .src_user, | ||
| Watchlisted Site Activity | Web | Web.src, .url | |
| Remote Access | Authentication | Authentication.src, .user | |
| Ticket Activity | Ticket Management | All_Ticket_Management.description, .priority, . severity, .src_user | |
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| View Audit | View Activity Over Time | Splunk Audit Logs | View_Activity.app, .view |
| Expected View Activity | View_Activity.app, .view, .user | ||
| Vulnerability Center | Top Vulnerabilities | Vulnerabilities | Vulnerabilities.signature, .dest |
| Most Vulnerable Hosts | Vulnerabilities.signature, .severity, .dest | ||
| Vulnerabilities By Severity | Vulnerabilities.signature, .severity, .dest | ||
| New Vulnerabilities | Calls vuln_signature_reference lookup | ||
| Vulnerability Operations | Scan Activity Over Time | Vulnerabilities | Vulnerabilities.dest |
| Vulnerabilities By Age | Vulnerabilities.severity, .signature, .dest | ||
| Delinquent Scanning | Vulnerabilities.dest | ||
| Vulnerability Search | Vulnerabilities.category, .signature, .dest, .severity, .cve, | ||
| Web Center | Events Over Time By Method | Web | Web.http_method |
| Events Over Time By Status | Web.status | ||
| Top Sources | Web.dest, .src | ||
| Top Destinations | Web.dest, .src | ||
| Web Search | Web.http_method, .status, .src, .dest, .url | ||
Dashboards to Add-on
These dashboards are included in the Splunk App for Enterprise Security. Use the Navigation editor to add or rearrange dashboards on the menu bar.
To view entire the list of dashboards in the application, go to Search > Dashboards.
| Dashboard name | Security Domain | Part of Add-on |
|---|---|---|
| Access Anomalies | Access | DA-ESS-AccessProtection |
| Access Center | Access | DA-ESS-AccessProtection |
| Access Search | Access | DA-ESS-AccessProtection |
| Access Tracker | Access | DA-ESS-AccessProtection |
| Account Management | Access | DA-ESS-AccessProtection |
| Asset Center | Asset | SA-IdentityManagement |
| Asset Investigator | Asset | SA-IdentityManagement |
| Content Profile | Audit | SplunkEnterpriseSecuritySuite |
| Data Model Audit | Audit | Splunk_SA_CIM |
| Default Account Activity | Access | DA-ESS-AccessProtection |
| DNS Activity | Network | DA-ESS-NetworkProtection |
| DNS Search | Network | DA-ESS-NetworkProtection |
| Email Activity | Network | DA-ESS-NetworkProtection |
| Email Search | Network | DA-ESS-NetworkProtection |
| Endpoint Changes | Endpoint | DA-ESS-EndpointProtection |
| Forwarder Audit | Audit | SA-AuditAndDataProtection |
| HTTP Category Analysis | Network | DA-ESS-NetworkProtection |
| HTTP User Agent Analysis | Network | DA-ESS-NetworkProtection |
| Identity Center | Identity | SA-IdentityManagement |
| Identity_investigator | Identity | SA-IdentityManagement |
| Incident Review | Threat | SA-ThreatIntelligence |
| Incident Review Audit | Threat | SA-ThreatIntelligence |
| Indexing Audit | Audit | SA-AuditAndDataProtection |
| Intrusion Center | Network | DA-ESS-NetworkProtection |
| Intrusion Search | Network | DA-ESS-NetworkProtection |
| Malware Center | Endpoint | DA-ESS-EndpointProtection |
| Malware Operations | Endpoint | DA-ESS-EndpointProtection |
| Malware Search | Endpoint | DA-ESS-EndpointProtection |
| Network Changes | Network | DA-ESS-NetworkProtection |
| New Domain Analysis | Network | DA-ESS-NetworkProtection |
| Per-Panel Filter Audit | Audit | SA-Utils |
| Port & Protocol Tracker | Network | DA-ESS-NetworkProtection |
| Predictive Analytics | Splunk_SA_CIM | |
| Protocol Center | Network | DA-ESS-NetworkProtection |
| REST Audit | Audit | SA-Utils |
| Risk Analysis | Threat | SA-ThreatIntelligence |
| Search Audit | Audit | SA-AuditAndDataProtection |
| Security Posture | SplunkEnterpriseSecuritySuite | |
| Session Center | Identity | SA-IdentityManagement |
| SSL Activity | Network | DA-ESS-NetworkProtection |
| SSL Search | Network | DA-ESS-NetworkProtection |
| Suppression Audit | Threat | SA-ThreatIntelligence |
| System Center | Endpoint | DA-ESS-EndpointProtection |
| Threat Activity | Threat | DA-ESS-ThreatIntelligence |
| Threat Artifacts | Threat | DA-ESS-ThreatIntelligence |
| Threat Intelligence Audit | Audit | DA-ESS-ThreatIntelligence |
| Time Center | Endpoint | DA-ESS-EndpointProtection |
| Traffic Center | Network | DA-ESS-NetworkProtection |
| Traffic Search | Network | DA-ESS-NetworkProtection |
| Traffic Size Analysis | Network | DA-ESS-NetworkProtection |
| Update Center | Endpoint | DA-ESS-EndpointProtection |
| Update Search | Endpoint | DA-ESS-EndpointProtection |
| URL Length Analysis | Network | DA-ESS-NetworkProtection |
| User Activity | Identity | DA-ESS-IdentityManagement |
| View Audit | Audit | SplunkEnterpriseSecuritySuite |
| Vulnerability Center | Network | DA-ESS-NetworkProtection |
| Vulnerability Operations | Network | DA-ESS-NetworkProtection |
| Vulnerability Search | Network | DA-ESS-NetworkProtection |
| Web Center | Network | DA-ESS-NetworkProtection |
| Web Search | Network | DA-ESS-NetworkProtection |
Splunk App for Enterprise Security file structure
The Splunk App for Enterprise Security is composed of a series of underlying apps, each of which is implemented as a subdirectory of the $SPLUNK_HOME/etc/apps/ (*Nix) or $SPLUNK_HOME\etc\apps (Windows) directory in Splunk.
The following table shows the location of the Enterprise Security files within the Splunk directory structure.
| Path under $SPLUNK_HOME | Description |
|---|---|
| etc/apps/SplunkEnterpriseSecuritySuite etc\apps\SplunkEnterpriseSecuritySuite |
Contains the core components of the Spunk App for Enterprise Security |
| etc/apps/DA-* etc\apps\DA-* |
Each DA directory provides the underlying functionality for one of the domains in Splunk for Enterprise Security, including the saved searches, macros, and lookups. For example, the "DA-EndpointProtection" directory contains the functionality for the Endpoint protection domain. |
| etc/apps/SA- etc\apps\SA-* |
Each SA directory provides the underlying support modules for a specific area of knowledge used by the domains in Splunk for Enterprise Security. |
| etc/apps/TA-* etc\apps\TA-* |
Each TA directory contains the files for a specific technology supported by Splunk for Enterprise Security. These files include the content necessary to optimize, normalize, and categorize data inputs. |
Last modified on 24 April, 2015
| FAQ | Data models in the Enterprise Security app |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3
Download manual
Feedback submitted, thanks!